Print
Parent Category: Tutorials
Hits: 19587

If you have a Gmail account you may want to grab(fetch) your emails to your
local mail account.
Here is a step by step tutorial:
First you need to configure gmail to allow pop3 mail downloading for your account: "Settings => Forwarding and POP" in your gmail web account.
Check if your fetchmail has ssl support:
$ldd /usr/bin/fetchmail
linux-gate.so.1 => (0xffffe000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7fb7000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb7fa2000)
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7f71000)
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7e6e000)
libc.so.6 => /lib/libc.so.6 (0xb7d56000)
libdl.so.2 => /lib/libdl.so.2 (0xb7d52000)
/lib/ld-linux.so.2 (0xb7feb000)
If you see something like "libssl.so.0...." then yours has it.
Getting the certificates
Creating a directory "'~/.certs"'
$ mkdir ~/.certs
Getting the gmail certificate provided by the gmail pop server:
$ openssl s_client -connect pop.gmail.com:995 -showcerts
You should see something along the lines of:
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIC3TCCAkagAwIBAgIDBZIAMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDUxMTE1MjEyMjQ0WhcNMDcxMTE2MjEyMjQ0
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv
cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMP8LCYiLGJ/
RihwcOi1V/zHVTw0Gfu+mI141Vjuuj2DtQoav8emwlXbu8gZoKP9GeMWpX1Vo9qN
4gkslIToHmDnIwGjcaEAfpdhSR9g54Kf5Y7BEXVyco6mTIlpe9vsbV0dmB1FvLP2
1N09dkUJfi7V0fjb8mcn3QYu6+6QNoxPAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD
AgTwMB0GA1UdDgQWBBTdASsopgao1m8hcEg0cDZhucltljA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf
BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAln3/pVqYnUXA1TVGzOqX
LFhohGxpuNkr1UJnQmYxmZeB07uPBYRX8c0JXEKs29TmAHRsLhmp8kF36F11Dxgi
Xm/Y8I9zgWHoMj7SL3Ve/u8K8K7XcUyUuaWmldLQAREafpFy+f+KYHGuAVh8hjy6
XyPlMCqj+PNp8QXjgOcgO68=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 891 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 2B7DBD96435D71F6D09A5DE95FD37C21132B118B98FBA33DAAAA646B155BB333
Session-ID-ctx:
Master-Key: 3A74300160B4E7B5424160EC1F7A7A700E107BAA8C23B2BFC66B22E7DF03D2F359551E7E08218C835FC956AF9A04A3C1
Key-Arg : None
Start Time: 1134859072
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK Gpop i16pf3941185wxd ready.

Copy everything from (and including) the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----", and save it in your new .certs directory as "'gmail.pem"'. You also need a copy of the certificate of the issuer, in google's case "Equifax Secure Certificate Authority".
~/.certs$ wget --no-check-certificate -O equifax.pem https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
For your ease I will put the needed code in here which you just need to copy/paste into a new file called "'equifax.pem"':
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----
Now you have both certificates stored in ~/.certs. you just need to rehash them so ssl (and fetchmail) can read and use them:
$ c_rehash ~/.certs/
Doing /home/user/.certs/
equifax.pem => 594f1775.0
gmail.pem => 7f549ca4.0

 

To check that you have the correct and working certificates,  make a ssl connection to the gmail server testing your 2 new certificates:
openssl s_client -connect pop.gmail.com:995 -CApath ~/.certs/
... ...
---
+OK Gpop h19pf3704794wxd ready.
There should be much more data inbetween, however the important thing to note is the final (or similar) "+OK Gpop h19pf3704794wxd ready." If not, please retrace the above steps to confirm you have it correct.
Setting up fetchmail

You need to configure out ~/.fetchmailrc file check every 90 seconds automatically if we have mail, and if so to download it.  For this fetchmail example I am going to use the username (locally on the system) as "user", the gmail address of "This email address is being protected from spambots. You need JavaScript enabled to view it.", and the password of "secretpassword":
$ cat .fetchmailrc
set daemon 90
set syslog
set postmaster user

#This email address is being protected from spambots. You need JavaScript enabled to view it.
poll pop.gmail.com
proto POP3
port 995
auth password
user This email address is being protected from spambots. You need JavaScript enabled to view it.' there
with password 'secretpassword' is user here
nokeep
ssl
sslcertpath /home/user/.certs/



Right, save the file, and now we can do a test verbosely to see if it works. Note: mail will be downloaded into your system-default mailbox, depending on your system. Hopefully you already know where that is located. Do the verbose test with:
$ fetchmail -d0 -vk pop.gmail.com
fetchmail: 6.2.5.2 querying pop.gmail.com (protocol POP3) at Sun Dec 18 00:24:05 2008: poll started
fetchmail: Issuer Organization: Equifax
fetchmail: Unknown Issuer CommonName
fetchmail: Server CommonName: pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: 59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4
fetchmail: POP3< +OK Gpop i34pf3725375wxd ready.
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< USER
fetchmail: POP3< RESP-CODES
fetchmail: POP3< EXPIRE 0
fetchmail: POP3< LOGIN-DELAY 300
fetchmail: POP3< X-GOOGLE-VERHOEVEN
fetchmail: POP3< .
fetchmail: POP3> USER This email address is being protected from spambots. You need JavaScript enabled to view it.
fetchmail: POP3< +OK send PASS
fetchmail: POP3> PASS *
fetchmail: POP3< +OK Welcome.
fetchmail: POP3> STAT
fetchmail: POP3< +OK 0 0
fetchmail: No mail for This email address is being protected from spambots. You need JavaScript enabled to view it. at pop.gmail.com
fetchmail: POP3> QUIT
fetchmail: POP3< +OK Farewell.
fetchmail: 6.2.5.2 querying pop.gmail.com (protocol POP3) at Sun Dec 18 00:24:10 2008: poll completed
fetchmail: normal termination, status 1
Your output might be longer if you had mail waiting already for you to download from gmail. This above example had an empty mailbox, but as you see it logged in successfully, and logged out successfully too.

If this is all working fine, then you can start your fetchmail daemon with the command:
$ fetchmail

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.